Guidelines for Administering vNET Specific Commands



The purpose of vNET objects is to provide independent network domains whose administrators can manage a set of dedicated resources without having to involve the network/fabric administrator, but within the constraints that the network/fabric had administrators defined their roles.


Access control is performed based on the scope of a vNET, which includes several dedicated ports on which it is possible to apply certain commands or use certain dedicated resources.


The applicable dedicated resources include the following categories of commands with vNET admin scope, as below:


  • Layer 1 commands (i.e., port-related commands):
    • port-show (shows vNET ports but not internal/cluster ports)
    • port-phy-show (shows managed and shared ports)
    • port-config-modify/show (shows managed ports)
    • bezel-portmap-show (shows managed ports)
    • port-vnet-show (shows managed ports)


  • Layer 2 commands (i.e., VLAN/LACP/STP/vLAG commands allowed on managed ports only):
    • port-lacp-modify/show
    • vlag-create/modify/delete
    • trunk-create/modify/delete
    • stp-port-modify/show/stp-portevent-show
    • port-config-modify port <port_num> speed <speed> command is allowed for vNET manager only on vNET admin managed ports.
    • A vNET admin is not allowed to change the native VLAN (untagged VLAN) on a shared port with the port-vlan-add command.
    • For vlan-create commands, only VLANs allotted to the vNET admin can be configured.


  • Layer 3 commands (i.e., vRouter commands, where the scope is local for the vNET):
    • static-ecmp-group-show/static-ecmp-group-nh-show
    • vrouter-ping/traceroute
    • bridge-domain-*
    • subnet-create to configure multiple subnets to a single VRF


  • Security and Services commands (i.e., vFlow and QoS commands on ports managed by the vNET admin)
    • vflow-create/vflow-modify (only ports managed by the vNET admin are allowed for vFlow qualifiers and actions. The vlan range and vxlan range should be within the vNET VLAN and vNET VXLAN range).
    • port-cos-bw-* commands (supported for ports managed by the vNET admin only).
    • mirror-create/modify commands


Caution: We recommend NOT to use the vNET feature while configuring port mirroring (mirror-create/mirror-modify commands) and minimum and maximum bandwidth on ports (port-cos-bw-modify command) features as vNET functionality is not supported in NetVisor version 7.1.0 and later.


Note: If any of the above commands are run on a port not in the scope of a vNET, a No permission for port 'port = %d' message is displayed, for example like so:


CLI (network-admin@switch) > vlag-create name vl1 port 99 peer-port 99

vlag-create: No permission for port 'port = 99'        


Let us consider an example of vNET creation and see how the above commands behave within it:


CLI (network-admin@switch) > vnet-create name vn1 scope fabric vlan-type private public-vlans 2000-2099 num-private-vlans 10 num-bridge-domains 3 vxlans 10000100-10000109 managed-ports 9,17 shared-ports 18 shared-port-vlans 105-109                               

Creating vn1-mgr zone, please wait...


With this command the network administrator creates a vNET as a dedicated domain comprising managed and shared ports as well as private and public VLANs and VXLAN IDs. In other words, the fabric admin is partitioning the resources to provide a dedicated and restricted view on the network for the vNET admin.


The following examples show how a vNET’s view gets constrained for each command:


CLI (network-admin@switch) > port-show


switch port bezel-port status     config

------ ---- ---------- ---------- ------

switch 9    9          up,vlan-up fd,10g

switch 17   17         disabled   fd,10g

switch 18   18         disabled   fd,10g


In this example the vNET admin can only view the managed and shared ports chosen as part of the vNET creation process, out of all the front panel ports.


Note: When you run the port-show command for a private vNET, only vNET managed ports are displayed. But for a public vNET, all ports except internal ports and cluster ports are displayed.


Starting with NetVisor OS version 7.0.0, a new CLI command, port-vnet-show is available to view the ports that are assigned to vNETs  and the respective VLANs of a vNET. This command displays the details that you had configured  after you had added port(s) using the vnet-port-add command:



CLI (network-admin@switch) > port-vnet-show


name name-string

The name of the virtual network (vNET).

managed-ports port-list

The list of vNET exclusive  ports.

num-vlans 1..4094


The number of global VLANs assigned to this vNET. This is a number between 1 and 4094.

vlans vlan-list

The VLANs assigned to public VLAN vNET.


For example, if you had configured ports 9, 17, 18 and VLANs 3 and 5 on vNET vn1-global, then the output looks like:


CLI (network-admin@switch) > port-vnet-show

name       managed-ports num-vlans vlans 

---------- ------------- --------- ---------

vn1-global 9,17          10        2000-2099


To view the PHY details, use the command:


CLI (network-admin@switch) > port-phy-show


port bezel-port state speed eth-mode   max-frame def-vlan

---- ---------- ----- ----- ---------- --------- --------

9    9          up    10000 10Gbase-cr 1540      0

17   17         down  10000 10Gbase-cr 1540      1

18   18         down  10000 10Gbase-cr 1540      0


Also, the front panel and PHY information is constrained to the ports selected as part of the vNET creation process. Port configuration gets constrained too, for example:


CLI (network-admin@switch) > port-config-show format port,enable,


port enable

---- ------

9    on

17   off


Regarding the Layer 2 configuration, these commands also get a constrained view:


CLI (network-admin@switch) > port-vlan-add port 9 untagged-vlan 45

port-vlan-add: No permission to modify untagged-vlan field


As displayed, untagged VLANs are prevented from being changed.


The vLAGs can be created only using accessible ports (as port 9 in the example below):


CLI (network-admin@switch) > vlag-create name vl1 port 9 peer-port 9

CLI (network-admin@switch) > port-lacp-show layout vertical


switch:        switch

port:        9

name:        v11

port-type:        vlag

mode:        passive

timeout:        slow

system-id:        66:0e:94:b6:ab:01

lacp-key:        36285

system-priority:        32768           

port-priority:        32768

aggregatable:        yes

sync:        yes

coll:        yes

dist:        no

defaulted:        yes

expired:        no

port-state:        0x5c


whereas inaccessible ports are blocked in the configuration:


CLI (network-admin@aquarius00) > vlag-create name vl1 port 99 peer-port 99

vlag-create: No permission for port 'port = 99'


Similarly, a VLAN trunk can be created (and then deleted) using accessible ports 9 and 10 like so:


CLI (network-admin@switch) > trunk-create name t ports 9-10

trunk 273 defer-bringup set to 1 based on first port 9

Created trunk t, id 273


CLI (network-admin@switch) > trunk-show format name,trunk-id,ports


name                 trunk-id ports

-------------------- -------- -----

t                    274      9-10

vxlan-loopback-trunk 397


CLI (network-admin@switch) > trunk-delete name t


Furthermore, spanning tree (STP) commands are limited to accessible ports only:


CLI (network-admin@switch) > stp-port-show port 10


port block filter edge bpdu-guard root-guard priority cost

---- ----- ------ ---- ---------- ---------- -------- ----

10   on    off    no   no         no         128      2000


CLI (network-admin@switch) > stp-port-modify port 53 cost 10000

stp-port-modify: No permission over ports 53


CLI (network-admin@switch) > stp-port-event-show


switch  time     port vlan   instance count initial-state other-state final-state

------- -------- ---- ------ -------- ----- ------------- ---------- -----------

switch  01:13:52  17  1,4094 0        3     Disabled      Disabled    Forwarding

switch  01:15:42  9   1      0        1     Disabled      Disabled    Discarding

switch  01:16:02  9   1      0        1     Discarding    Disabled    Learning

switch  01:16:12  9   1      0        1     Learning      Disabled    Forwarding

switch  01:17:53  17  1      0        1     Forwarding    Disabled    Disabled

switch  01:17:53  9   1      0        1     Forwarding    Disabled    Disabled

switch  01:29:00  17  4094   0        1     Disabled      Disabled    Forwarding


Further, for Layer 3 configuration, these commands display a constrained view:


The vRouter commands get constrained too (to accessible VLANs and interfaces) like so:


CLI (network-admin@switch) > vrouter-create name vr1 vnet vn1 router-type hardware

Creating vr1 zone, please wait...

vrouter created


As stated in the overview section, only a network admin can create vRouters. A permission error is displayed if a vNET admin tries to create vRouters as in below example:


CLI (vnet1-admin@switch) > vrouter-create name vr1 vnet vnet1

vrouter-create: No permission to create vrouter in vnet manager


CLI (network-admin@switch) > vrouter-interface-add vrouter-name vr1 ip 192.168.99.13/24 vlan 100

Added interface eth0.100 with ifIndex 159


CLI (network-admin@switch) > vrouter-interface-show format vrouter-name,nic,ip,vnet,vlan,vlan-type,nic-state,mtu


vrouter-name nic      ip               vnet vlan vlan-type nic-state mtu

------------ -------- ---------------- ---- ---- --------- --------- ----

vr1          eth0.100 192.168.99.13/24 vn1  100  private   up        1500


The static-ecmp-group-* commands are allowed only within the vNET scope ¬(local) and duplicate entries from other switches are blocked when logged in as vnet-admin. For example:


CLI (network-admin@switch) > vnet-create name VNET2 scope fabric

Creating VNET2-mgr zone, please wait...

Vnet created. Vlans assigned: 5

CLI (network-admin@switch) > vrouter-create name vr_fabric vnet VNET2 router-type hardware

Creating vr_fabric zone, please wait...

vrouter created


CLI (network-admin@switch) > static-ecmp-group-create group-name G1 scope fabric vrouter-name vr_fabric hash-type non-resilient


CLI (network-admin@switch) > static-ecmp-group-nh-add group-name G1 ip 1.1.1.1


CLI (network-admin@switch) > vnet-create name vnet2-data scope fabric

Creating vnet2-data-mgr zone, please wait...

Vnet created. Vlans assigned: 6


root@switch:~# lxc-attach -n vnet2-data-mgr

root@vnet2-data-mgr:~# nvOS_cli --quiet static-ecmp-group-show

root@vnet2-data-mgr:~# exit


root@switch:~# lxc-attach -n VNET2-mgr


root@VNET2-mgr:~# nvOS_cli --quiet static-ecmp-group-show


group-name scope  vrouter-name hw-ecmp-id hash-type

---------- ------ ------------ ---------- -------------

G1         fabric vr_fabric    200000     non-resilient


root@VNET2-mgr:~# nvOS_cli --quiet static-ecmp-group-nh-show


group-name ip      vlan egress-id

---------- ------- ---- ---------

G1         1.1.1.1 0    -1


root@VNET2-mgr:~# exit


CLI (network-admin@switch) > vnet-create name VNET1 scope cluster

Creating VNET1-mgr zone, please wait...

Vnet created. Vlans assigned: 7


CLI (network-admin@switch) > vrouter-create name vr_cluster vnet VNET1

Creating vr_cluster zone, please wait...

vrouter created


CLI (network-admin@switch) > static-ecmp-group-create group-name G2 scope cluster vrouter-name vr_cluster hash-type non-resilient


CLI (network-admin@switch) > static-ecmp-group-nh-add group-name G2 ip 2.1.1.1


On the Global vNET, you can view all details, for example:


CLI (network-admin@switch) > static-ecmp-group-show


switch  group-name scope   vrouter-name vrid hw-ecmp-id hash-type

------- ---------- ------- ------------ ---- ---------- -------------

switch1 G1         fabric               -1   -1         non-resilient

switch2 G1         fabric  vr_fabric         200000     non-resilient

switch1 G2         cluster              -1   -1         non-resilient

switch2 G2         cluster vr_cluster    1    200001    non-resilient


root@switch:~# lxc-attach -n vnet2-data-mgr

root@vnet2-data-mgr:~# nvOS_cli --quiet static-ecmp-group-nh-show

root@vnet2-data-mgr:~# exit

root@switch:~# lxc-attach -n VNET2-mgr


root@VNET2-mgr:~# nvOS_cli --quiet static-ecmp-group-nh-show


switch group-name ip      vlan egress-id

------ ---------- ------- ---- ---------

switch  G1        1.1.1.1  0    -1


root@VNET2-mgr:~# nvOS_cli --quiet static-ecmp-group-show


switch group-name scope  vrouter-name hw-ecmp-id hash-type

------ ---------- ------ ------------ ---------- -------------

switch G1         fabric vr_fabric    200000     non-resilient


root@VNET2-mgr:~# exit

root@switch:~# lxc-attach -n VNET1-mgr


root@VNET1-mgr:~# nvOS_cli --quiet static-ecmp-group-show


switch group-name scope   vrouter-name vrid hw-ecmp-id hash-type

------ ---------- ------- ------------ ---- ---------- -------------

switch G2         cluster vr_cluster   1    200001     non-resilient

root@VNET1-mgr:~# exit


Displays a constrained view of the vrouter-ping/traceroute commands as well:


CLI (network-admin@switch) > vrouter-ping vrouter-name vr1 host-ip 192.168.99.13


PING 192.168.99.13 (192.168.99.13) 56(84) bytes of data.

64 bytes from 192.168.99.13: icmp_seq=1 ttl=64 time=0.066 ms

64 bytes from 192.168.99.13: icmp_seq=2 ttl=64 time=0.071 ms

64 bytes from 192.168.99.13: icmp_seq=3 ttl=64 time=0.063 ms

^C

--- 192.168.99.13 ping statistics ---

north
    keyboard_arrow_up
    keyboard_arrow_down
    description
    print
    feedback
    support
    business
    rss_feed
    south